diff options
author | Alexander Richardson <Alexander.Richardson@cl.cam.ac.uk> | 2019-09-10 07:54:11 +0100 |
---|---|---|
committer | Arnold Robbins <arnold@skeeve.com> | 2019-09-10 09:54:11 +0300 |
commit | cbf924342b63a095a4c6842280c3085b1b63ae45 (patch) | |
tree | 2e3d6c89a6c5a20b3336cadf5438850063fbb9aa | |
parent | 50e6962495a6f36f545d4102ccb82a2dc50b0a20 (diff) | |
download | one-true-awk-cbf924342b63a095a4c6842280c3085b1b63ae45.tar.gz |
Fix out-of-bounds access in gototab array for caret character (#47)
When matching a caret, the expression `f->gototab[s][c] = f->curstat;` in
cgoto() will index the 2D-array gototab with [s][261]. However, gototab
is declared as being of size [NSTATES][NCHARS], so [32][259]. Therefore,
this assignment will write to the state for character 0x1.
I'm not sure how to create a regression test for this, but increasing the
array size to HAT+1 values fixes the error and the tests still pass.
I found this issue while running awk on a CHERI system with sub-object
protection enabled. On x86, this can be reproduced by compiling awk
with -fsanitize=undefined.
-rw-r--r-- | awk.h | 3 | ||||
-rw-r--r-- | b.c | 2 |
2 files changed, 2 insertions, 3 deletions
@@ -212,6 +212,7 @@ extern int pairstack[], paircnt; #define NCHARS (256+3) /* 256 handles 8-bit chars; 128 does 7-bit */ /* watch out in match(), etc. */ +#define HAT (NCHARS+2) /* matches ^ in regular expr */ #define NSTATES 32 typedef struct rrow { @@ -225,7 +226,7 @@ typedef struct rrow { } rrow; typedef struct fa { - uschar gototab[NSTATES][NCHARS]; + uschar gototab[NSTATES][HAT + 1]; uschar out[NSTATES]; uschar *restr; int *posns[NSTATES]; @@ -34,8 +34,6 @@ THIS SOFTWARE. #include "awk.h" #include "ytab.h" -#define HAT (NCHARS+2) /* matches ^ in regular expr */ - /* NCHARS is 2**n */ #define MAXLIN 22 #define type(v) (v)->nobj /* badly overloaded here */ |